Microsoft Released an Emergency Security Update to Fix Two Bugs in Windows Codecs

Tuesday Microsoft published two out-of-band security updates to patch two vulnerabilities in the Microsoft Windows Codecs Library, reports ZDNet: Tracked as CVE-2020-1425 & CVE-2020-1457, the two bugs only impact Windows 10 and Windows Server 2019 distributions... Microsoft said the two security flaws can be exploited with the help of a specially crafted image file. If the malformed images are opened inside apps that utilize the built-in Windows Codecs Library to handle multimedia content, then attackers would be allowed to run malicious code on a Windows computer and potentially take over the device. The two bugs -- described as two remote code execution vulnerabilities -- received patches Wednesday.

"Customers do not need to take any action to receive the update," Microsoft said.

Good old MS crapware

[gweihir]

Keeps us security experts fed nicely, but I wish we would solve real problems instead, not ones caused by continued incompetence.

Re:

[CaptainDork]

We need a doover.

Microsoft started off wrong and the DNA is flawed on all OSs.

That same DNA is in the backbone of the Internet.

We need somebody to doove!

[XXongo]

We need a doover.

It took me three readings to figure out what a "doover" is.

Re:We need somebody to doove!

[93 Escort Wagon]

That’s because he forgot to put “horses” in front of it.

Re:

[CaptainDork]

I typed it in that way, considered it, and my spell checkers (two of them) did not object. :p

Maybe there's a Hoover that does doors?

Re: We need somebody to doove!

[NoMoreACs]

One Dictionary says it is Australian slang for "thingamajig".

But it also appears as one of the alternate spellings for "do over".

Personally, my internal wetware routines spit out "do-over" as being the most correct.

Re:

[Opportunist]

I wouldn't mind having a Hoover.

As long as someone else pays for her.

Re:

[Black LED]

At first I thought it was a typo of "doofer".

Re:

[DarkVader]

I was like "is that like a Hoover, but for bugs?"

Re:

[thegarbz]

Don't worry. If MS ever gets their act together you'll still have employment from Google https://www.komando.com/securi... [komando.com], Apple https://null-byte.wonderhowto.... [wonderhowto.com], and Linux https://www.cybersecurity-help... [cybersecurity-help.cz]

One day we may actually find that mythical perfect coder, but at present it looks like every OS has an exploit through codecs or media handling.

Re:

[LenKagetsu]

If a bug can change one byte of a computer's internal memory, that's more than enough to compromise it.

Re:

[yes-but-no]

I'd assume that any architecture can and will have flaws. Those got introduced due to competing design goals. The point here is whoever looks longer and deeper (ie spends more watts/time/energy/attention) will find a hole -- it's a never ending arms-race between making the fort stronger and finding holes in it.

Re:

[Bu11etmagnet]

It's all John von Neuman's fault. If code and data weren't stored in the same memory, none of this would happen.

Re:

[gweihir]

It's all John von Neuman's fault. If code and data weren't stored in the same memory, none of this would happen.

Unfortunately not even remotely true.

Re:

[kurkosdr]

I think the problem is the facts codecs and multimedia frameworks are still written in the godforsaken programming languages known as C and C++, which is why codec libraries and multimedia frameworks are a popular target for security exploits (even open source ones which are open to wide peer review like AOSP's StageFright). But if hating on Microsoft distracts you from the fact we still rely on C and C++ despite their proven ability to produce exploitable software (when it comes to software written by fall

Re:

[Opportunist]

You call it crapware, I call it job security.

Re:

[AmiMoJo]

Is Windows actually worse than other software? I mean it was back in the day but now I can't think of any similarly massive lump of code that has proven to be significantly more secure.

Last year Linux got more CVEs and that's just the kernel.

Seriously what are we using as the benchmark here?

Re:Good old MS crapware

[gweihir]

The linux kernel has CVEs mostly in drivers. You do not need to even compile them (and if you are smart, you compile exactly what you need and nothing else...) For Windows, drivers mostly are not in the kernel. Hence the comparison is not meaningful. Also, look at CVE severity.

Re:

[DarkVader]

I haven't compiled a kernel in at least a decade. I used to do it for every install, but it's mostly just an extra hassle now.

I suspect that's pretty standard.

Was Microsoft stupid for making a mistake?

[aberglas]

Or were they stupid for using a programming language that enables a fairly innocuous mistake in a codec compromise the entire computer?

Why would anyone use such a programming language!

Re:

[yes-but-no]

because C is easier to program and maintain than assembly (Of course I assume you want to squeeze the last bit of juice from your metal for the given watts - else may code in java or python)

Re:

[gweihir]

It is not the language. Buffer overflows are both easy to avoid and easy to find. If you are competent. The combination of cheap, incompetent coders and C does not go well. But neither do cheap, incompetent coders go well with any other language.

Re:

[ElizabethGreene]

I'm asking this unironically and without malice or sarcasm.

What programming language prevents security bugs?

Re:

[aberglas]

Virtually every programming language other than C/++ has memory safety. So while it is certainly possible to introduce security bugs, they will generally have a distinct cause and effect. So a codec bug might prevent the codec from working properly, but would not enable arbitrary code to be run by an attacker. A bug in a login program might well compromise the security of a system, but not a bug in a codec!

The early programming languages all had memory safety. Burroughs wrote their entire operating syst

Re:

[thegarbz]

Hence the comparison is not meaningful.

Only in the eyes of a security expert. In the eyes of a user it's completely irrelevant if a "Linux" bug sits in the kernel, in a driver, or in some userland software library.

Re:

[gweihir]

Hence the comparison is not meaningful.

Only in the eyes of a security expert. In the eyes of a user it's completely irrelevant if a "Linux" bug sits in the kernel, in a driver, or in some userland software library.

And if you had that thought through, you would have noticed that you are actually agreeing with me here. What counts for the user is the bugs that affect the user. Hence you must compare "Linux kernel + drivers" with "Windows kernel + drivers". Comparing "Linux kernel (including drivers)" with "Windows kernel (excluding drivers)" is invalid and not the comparison the user sees in actual usage. It is invalid in the same ways as comparing "Linux distro (including 1000's of applications)" with "Windows install

Re:

[AmiMoJo]

In that case we probably shouldn't be counting this vulnerability against Windows either given that it's in one of the subsystems. But this is all getting rather arbitrary now and in any case Microsoft is one of the bigger contributors to Linux these days.

Re:

[minorityreport]

> Keeps us security experts fed nicely, but I wish we would solve real problems instead, not ones caused by continued incompetence.

Crapware running on an Intel crap Memory Management Unit [sciencedirect.com]

HEVC codecs

[pmsr]

The vulnerability is with the HEVC codecs. As far as I know these are not installed by default up to Windows 10 1903 versions. Presume they can be installed by the manufacturers with their factory installations. But then again, I always wipe those and install a clean image without the bloat and just the drivers from scratch at work. Don't you?

Re:

[neilo_1701D]

The vulnerability is with the HEVC codecs. As far as I know these are not installed by default up to Windows 10 1903 versions. Presume they can be installed by the manufacturers with their factory installations. But then again, I always wipe those and install a clean image without the bloat

Dude... have you seen how much bloat is in a standard clean image nowadays?

Re:

[pmsr]

Dude... have you seen how much bloat is in a standard clean image nowadays?

Most certainly. But we live in the real world: a world of the possible, not an ideal one. And bloat, it's everywhere in this industry.

Re:

[kurkosdr]

An HEVC decoder is... bloat? If anything, considering the patent situation around HEVC and its essentiality for things like ATSC 3.0, it's a good thing an OS-provided decoder exists in the standard image, so TV tuner software can use the OS-provided decoder and be distributed as "freeware" (free of charge is good even if the source is missing, lots of people have wallets but few people care about reading the source code) or even as windows-only FOSS. Then there is the case of smartphones recording 4K in HEV

Re:

[thegarbz]

We can do you one better: They actually cost money. Attempting to open a HEVC file in the default media player on Windows 10: "Films and TV" app will redirect you to the windows store to buy the HEVC Video Extensions pack for $0.99.

It does this even if you have HEVC codecs installed and available via Direct Show, i.e. the files play fine with Windows Media Player, but the Films and TV app will attempt to nickle and dime you a bit more.

Re: HEVC codecs

[NoMoreACs]

HEIC and HEVC are the default CODECs used by Apple.

Perhaps that's the real reason why MS is putting up a small barrier to their easy use in Windows...

Send a iPhone video of your kids to your Windows-victimized Grandparents: It won't "just work". Grandpa's takeaway: Damn Apple uses "nonstandard" stuff again!

And yes, history shows MS is just exactly that petty.

Re:

[PPH]

a small barrier to their easy use in Windows

Yeah. We'll teach you Apple fans a lesson. We'll install something in our Windows users' systems that will let hackers pwn them. That'll teach you a lesson you'll never forget!

Re: HEVC codecs

[discordia60605]

Meanwhile Linux and co. have a wonderful FOSS decoder in ffmpeg, and all the browser developers actively make it difficult to obtain or compile a browser that will support HEVC on Linux. Sure, it's a nice idea to push open codecs without patent encumbrance, but good luck getting makers of cheap SOCs to support those. And until they do it takes hours of misery and gigabytes of downloading to produce a Linux browser capable of rendering the output from a $30 Chinese webcam.

Re:

[kurkosdr]

Still, better pay 0.99 once than multiple times I guess? It's an infrastructure other programs can use.

Re:

[thegarbz]

No you don't seem to understand. Windows 10's new default media player called "Films and TV" specifically does *NOT* use the infrastructure in place nor share it with other programs.

As I said I already have HEVC DirectShow filters and codecs on the system, Windows Media Player also plays HEVC content just fine, and that's before we get into free libraries or media players like VLC which bundle their own codecs. This is literally paying 99c as far as I can see to add support for a single program.

Re:

[thegarbz]

Replying to self: Maybe not single program, but certainly not programs that rely on or support Direct Show.

Re:

[PsychoSlashDot]

The vulnerability is with the HEVC codecs. As far as I know these are not installed by default up to Windows 10 1903 versions. Presume they can be installed by the manufacturers with their factory installations. But then again, I always wipe those and install a clean image without the bloat and just the drivers from scratch at work. Don't you?

They're installed manually, via the Windows Store. So probably almost nobody has them installed.

That's why they're patched via the Windows Store, not Windows Updates.

As for factory images, these days I've found both Dell and Lenovo are pretty close to clean for business-class machines. Both include their driver/firmware update tools, and Office 365 preloads, but that's about it. Most of my customers use other various Office licenses (volume license, product key cards) but removing the O365 preload i

Abondon ship!

[AndyKron]

Jesus fuck. Another emergency update? Microsoft is sinking fast. Abandon ship!

Re:

[CaptainDork]

What's interesting to me, (I'm retired IT) is that Microsoft could slip something in through the Store.

Especially on a goddam server!

Re:

[thegarbz]

It's called an auto-update for an application. It has been common to "slip" these in since the internet was invented.

This isn't a Windows vulnerability. It's a vulnerability in the HEVC Video Extensions package that users would need to buy from the store. The only thing being slipped here is a standard app update with the vulnerability fixed.

Customers do not need to take any action...

[QuietLagoon]

Well, that's good. I think.

damn reboots

[cygnusvis]

Customers do not need to take any action to receive the update

So this is why my computer woke up and rebooted itself off schedule.

Re:

[CaptainDork]

No reboot required.

We would still be hearing about lawsuits from those running Server 2019.

Re:

[thegarbz]

No. These updates are not delivered through Windows Update and do not require a reboot. They are delivered as Windows Store patches as only one specific Store app is affected, specifically the HEVC Filters. If you haven't purchased those for 99c, then you wouldn't even get this update.

Remote Execution

[backslashdot]

"Customers do not need to take any action to receive the malware," hackers said.

When Windows 10 came out, they said it was

[surfdaddy]

"The Most Secure Windows Ever!"

Re:

[backslashdot]

More secure than previous Windows? Wow, talk about a low bar.

How about CONTENT in the article? WHICH formats?

[Pierre Pants]

What's your point of NOT including any actual info in the article? Oh, it's so incredibly dangerous, yet you won't even say WHICH IMAGE FILE FORMATS? No, I don't feel like checking the links you included. You took out that desire from me, by posting this joke of an article.

Re:

[thegarbz]

No, I don't feel like checking the links you included.

If you want to be spoon fed go cry to your mommy.

And yet, Printing is still broken.

[Rainwulf]

Entire shell crashes when trying to print.